Added the Exchange 2010 Database Availability Group application monitor to couple of our Exchange 2010 servers and got the following error –

Clicking “More” gives the following –

This is because Solarwinds is trying to run a PowerShell script on the remote server and the script is unable to run due to authentication errors. That’s because Solarwinds is trying to connect to the server using its IP address, and so instead of using Kerberos authentication it resorts to Negotiate authentication (which is disabled). The error message too says the same but you can verify it for yourself from the Solarwinds server too. Try the following command –

So, how to fix this? Logon to the remote server and launch IIS Manager. It’s under “Administrative Tools” and may not be there by default (my server only had “Internet Information Services (IIS) 6.0 Manager”), in which case add it via Server Manager/ PowerShell –

1

2

>Import-ModuleServerManager

>Add-WindowsFeature-NameRSAT-Web-Server

Then open IIS Manager, go to Sites > PowerShell and double click “Authentication”.

In my case the Windows Remote Management (WS-Management) service was already running, so its startup type was merely changed to “Automatic (Delayed)”, but if it wasn’t already running then it would have been started too.

So what all happens here?

The service is started and type changed to “Automatic (Delayed)”.

Starting the service in itself does not do anything as it does not listen for anything. So a listener is created. This listener listens for messages sent via HTTP on all IP addresses of the machine.

A firewall exception is created for Windows Remote Management.

A configuration change is made such that when a remote user connects with admin rights to this machine, the admin rights are not stripped via User Account Control (UAC). (See this & this blog post for what this means). Basically, this configuration change involves modifying a registry entry.

Thus, to undo the effect of winrm quickconfig one must undo each of these changes.

1. Disabling the service

Either go via the Services MMC console and (1) stop the service and (2) change its type to disabled; or use PowerShell (running as administrator of course):

1

2

PS>Stop-Servicewinrm

PS>Set-Service-Namewinrm-StartupTypeDisabled

That’s disabled.

2. Delete the listener

You can see the listener thus:

1

2

3

4

5

6

7

8

9

10

C:\>winrmenumeratewinrm/config/listener

Listener

Address=*

Transport=HTTP

Port=5985

Hostname

Enabled=true

URLPrefix=wsman

CertificateThumbprint

ListeningOn=127.0.0.1,169.254.138.213,169.254.160.213

And delete it thus:

1

C:\>winrmdeletewinrm/config/Listener?Address=*+Transport=HTTP

The command has no output, so enumerate the listeners again if you want to confirm.